Manual Chapter : Installing a Stand-alone DDoS Hybrid Defender

Applies To:

Show Versions Show Versions

F5 DDoS Hybrid Defender

  • 15.0.0
Manual Chapter

Installing a Stand-alone DDoS Hybrid Defender

Overview: Installing a Stand-alone DDoS Hybrid Defender

You can install DDoS Hybrid Defender onto a dedicated system approved for the software. You can deploy the system inline or out-of-band. For out-of-band deployments, you can set up the system in one of two ways: as a span port or using NetFlow. A span port analyzes mirrored packets, and NetFlow listens for and reviews metadata.
Before you start, you must have assigned the management IP address on the LCD panel of the device, or with a hypervisor if using the Virtual Edition. This procedure is for installing a single, stand-alone DDoS Hybrid Defender system to protect against DDoS attacks. If you have two systems and want to install them for high availability, follow the steps described in
Installing DDoS Hybrid Defender for High Availability
.
Make sure you have this information available:
  • Base registration key
  • Management IP address, network mask, and management route IP address
  • Passwords for the root and admin accounts
  • NTP server IP address (optional)
  • Remote DNS lookup server IP address (required for F5 Silverline® integration or if resolving host names)

Performing initial setup

Before you begin, be sure to have the base registration key.
You need to perform an initial setup on your system before you can start to use DDoS Hybrid Defender. Some of the steps vary, depending on the state your system is in when you begin, and whether you are using a physical device or a virtual edition.
If setting up two systems for high availability, you need to perform initial setup on
both
systems.
  1. If this is a new system, specify the management IP address using the LCD panel or command line on the physical device, or using the appropriate hypervisor on the virtual edition.
  2. From a workstation browser on the network connected to the system, type:
    https://
    <management_IP_address>
    .
  3. At the login prompt, type the default user name
    admin
    , and password
    admin
    , and click
    Log in
    .
    The admin password will be expired, requiring you to create a new password at least six characters, and a minimum level of complexity. The system maintenance root account will also be set to the new password.
  4. Click
    Next
    .
    The License screen opens.
  5. In the
    Base Registration Key
    field, type or paste the registration key.
    You receive the registration key when you purchase DDoS Hybrid Defender. If you also have the add-on IP Intelligence service, specify the key in the
    Add-On Key
    field.
  6. For
    Activation Method
    , leave it set to
    Automatic
    unless the system does not have Internet access. In that case, click
    Manual
    and follow the instructions for manually licensing DDoS Hybrid Defender.
  7. Click
    Activate
    .
    The license is activated.
  8. Click
    Next
    ; the device certificate is displayed, and click
    Next
    again.
    The Platform screen opens.
  9. For the
    Management Config IPv4
    setting, click
    Manual
    .
    Verify the IP Address and Network Mask settings include the details entered using the LCD panel.
  10. If you want to define an IPv6 management IP address, configure the
    Management Config IPv6
    setting.
  11. In the
    Host Name
    field, type the name of this system.
    For example,
    ddosdefender1.example.com
    .
  12. In the User Administration area, we strongly recommend that you change the Root password from the defaults. Type and confirm the new password.
    When you re-enter the username and password, the system logs you out. Log back in to continue with the next screen in the setup process.
  13. Click
    Next
    .
    The NTP (Network Time Protocol) screen opens.
  14. Optional: To synchronize the system clock with an NTP server, in the
    Address
    field, type the IP address of the NTP server, and click
    Add
    .
  15. Click
    Next
    .
    The DNS (Domain Name Server) screen opens.
  16. To resolve host names on the DDoS Hybrid Defender system, set up the DNS and associated servers (required for IP Intelligence):
    1. For the
      DNS Lookup Server List
      , in the
      Address
      field, type the IP address of the DNS server, and click
      Add
      .
    2. If you use BIND servers, add them to the
      BIND Forwarder Server List
      .
    3. For doing local domain lookups to resolve local host names, add them to the
      DNS Search Domain List
      .
  17. Click
    Finished
    .
If the system is connected to the Internet, it is now licensed and ready for you to configure DDoS Hybrid Defender. If the system is not connected to the Internet, you have to manually activate the license.

Manually licensing DDoS Hybrid Defender

If the DDoS Hybrid Defender system is not connected to the Internet, use this procedure to manually activate the license. Otherwise, skip this task.
If setting up two systems for high availability, you have to activate the license on
both
systems.
  1. From a workstation on the network connected to the system, type:
    https://
    <management_IP_address>
    .
  2. At the login prompt, type the user name and password for the system, and click
    Log in
    .
    The Setup utility screen opens.
  3. Click
    Next
    .
    The License screen opens.
  4. In the
    Base Registration Key
    field, type or paste the registration key.
    You receive the registration key when you purchase DDoS Hybrid Defender. If you also have the add-on IP Intelligence service, specify the key in the
    Add-On Key
    field.
  5. For the
    Activation Method
    setting, select
    Manual
    and click the
    Generate Dossier
    button.
    The dossier is displayed in the
    Device Dossier
    field.
  6. Select and copy the text displayed in the
    Device Dossier
    field, and click the
    Click here to access F5 Licensing Server
    link.
    Alternatively, you can navigate to the F5 license activation portal at
    https://activate.f5.com/license/
    .
  7. Click
    Activate License
    .
  8. Into the
    Enter your dossier
    field, paste the dossier.
    Alternatively, if you saved the file onto your system, click the
    Choose File
    button and navigate to the file.
    The license key text is displayed.
  9. Copy the license key, and paste it into the
    License Text
    field.
  10. Continue with the Setup Utility.

Configuring the network for out-of-band deployment

When installing DDoS Hybrid Defender using an out-of-band deployment, you need to configure the network workflow. You can do this using span ports or NetFlow messaging.
If using the BIG-IP Virtual Edition, to set up the network as described here, you must create a security policy on the vSwitch. Configure the security policy to accept the
Promiscuous Mode
and
Forged Transmits
policy exceptions. For details about these options, see the
VMware ESX or ESXi Configuration Guide
.
  1. Log in to DDoS Hybrid Defender using the administrator user name and password.
  2. On the Main tab, click
    Network
    Quick Configuration
    .
    The Configured Network Topologies screen shows the different types of configurations you can implement, and if any configurations exist, it shows the # of Configurations on the right.
  3. If the configuration requires trunks or route domains, on the right, click << to expand the Shared Objects panel where you can add trunks or route domains to use for any of the configurations.
    1. Click
      Trunks
      or
      Route Domains
      .
    2. Click the appropriate
      +
      to add the needed trunks or route domains.
    3. Click
      Commit
      .
    You can also create trunks or route domains the same way in each of the separate topology screens.
  4. On the main screen, click
    Create
    to use the network configuration tools.
  5. Click the appropriate network topology to get started.
    Most locations use only one type of configuration on the system. However, Netflow requires an additional configuration, such as Routed Mode, to direct the traffic to the BIG-IP system.
    Topology
    When to Use
    Routed Mode
    Use to deploy inline for routing traffic between subnets.
    Virtual Wire
    Use Virtual Wire (L2Wire) to set up the system as an inline L2 transparent mode device. Note: Not available on virtual edition platform.
    VLAN Group (L2 Bridge)
    Use the VLAN group configuration if your network relies on switch topology, and all traffic ingress to the BIG-IP system is from one VLAN, and traffic egress is through another VLAN. This is an inline deployment as an L2 transparent bridge between two L2 network segments.
    Netflow
    For out-of-band deployment with additional configuration such as Routed Mode: Specifies NetFlow configuration where the system is listening for NetFlow messages and traffic information (metadata).
    SPAN Port
    For out-of-band deployment only: Specifies the ports passively observing mirrored traffic (packets), and allows the system to detect but not mitigate attacks on other protected objects. Not typically used with high availability.
    Separate tasks describe configuring SPAN Ports and Netflow Messaging.
  6. Click
    Update
    to save the network configuration.
DDoS Hybrid Defender is configured for out-of band deployment using either span ports or NetFlow messages.
At this point, you can start configuring DDoS Hybrid Defender to protect against DDoS attacks. You can also set up remote logging and Silverline, if you are using those features.

Configuring SPAN ports

You can configure DDoS Hybrid Defender out-of-band using span ports so that the system performs DDoS detection by analyzing traffic that is mirrored from a Layer 2 switch. It is typically best to mirror the Layer 2 switch ports that connect to the firewall. Since firewalls are stateful devices, traffic typically flows through them symmetrically. Thus, mirroring the ports that are connected to firewalls is a good way to direct all the packets in a session through the firewall, and over to the DDoS Hybrid Defender. By configuring span ports, DDoS Hybrid Defender can use all L2 to L7 DDoS detection mechanisms.
  1. On the Main tab, click
    Network
    Quick Configuration
    .
  2. Click
    Create
    to start configuring the network.
    A visual representation of the network configuration types is displayed.
  3. Click the
    SPAN Port
    configuration.
  4. For
    Span Ports
    , select the interface or interfaces from which to passively listen to traffic. Move the interfaces to use as SPAN ports into the
    Selected
    list.
  5. Click
    Finished
    .
The system is deployed out-of-band using SPAN ports.
At this point, you can start configuring DDoS Hybrid Defender. You can set up remote logging and Silverline, if you are using those features. Then you can begin setting up DDoS protection.

Examining traffic metadata using Netflow messages

Before you can use Netflow with the system, you need to perform other network configuration so that traffic is directed to the system. You can use one of the other configurations to do this. For example, you could use Routed Mode to route network traffic to the DDoS Hybrid Defender.
You can configure DDoS Hybrid Defender to receive Netflow messages so that it can examine traffic metadata for evidence of and prevent DoS attacks.
  1. On the Main tab, click
    Quick Configuration
    Topology
    .
  2. Click
    Create
    to start configuring the network.
    A visual representation of the network configuration types is displayed.
  3. Click the
    Netflow
    configuration.
  4. For
    Name
    , type a name for the Netflow configuration.
  5. For
    Destination
    , type the IP address and netmask that specifies the IP addresses where the system listens for NetFlow messages from other devices on the network.
  6. For
    Port
    , specify the port from which the system is listening for NetFlow messages.
  7. For
    Netflow Version
    , specify which version of Netflow messages to listen for.
  8. Click
    Finished
    .
DDoS Hybrid Defender is configured to listen for Netflow messages at the system level.
Next, you can create Netflow Protected Servers to more distinctly represent the servers that DDoS Hybrid Defender is protecting from DoS attacks using data from the Netflow messages. If you want to redirect traffic using scrubbing, you can create a scrubbing profile to mitigate attacks.

Creating a Netflow protected server

When DDoS Hybrid Defender is configured to examine Netflow data, you can create a Netflow protected server to represent and delineate the backend servers that are being protected from DoS attacks.
DDoS Hybrid Defender receives out-of-band Netflow metadata and uses traffic matching criteria to focus on traffic with specific characteristics.
  1. On the Main tab, click
    DoS Configuration
    Protected Objects
    .
    The Protected Objects screen is displayed showing the configured protected objects.
  2. On the right, click
    <<
    to open the Shared Objects pane where you can develop traffic matching criteria so it is available to apply when creating the Netflow protected server.
    1. In the Shared Objects pane, click the
      +
      next to Traffic Matching Criteria.
    2. In the Properties pane, for
      Name
      , type a name for the criteria.
    3. For
      Destination Address
      and
      Destination Port
      , type the destination address and port where traffic is being sent.
      Using Netflow data, the system matches traffic being sent to this destination IP address and port.
    4. For
      Protocol
      , select the protocol you want the Netflow protected server to match:
      TCP
      ,
      UDP
      , or
      All Protocols
      .
    5. For
      Source Address
      and
      Source Port
      , type the source address and port from which traffic is being sent.
      Using Netflow data, the system matches traffic being sent from this IP address and port.
    6. Select VLANs or route domains to match, then close the pane.
    7. Click the
      Update
      button.
  3. On the far right of the main screen, click
    Create
    Netflow Protected Server
    .
    The Shared Objects pane opens on the right showing traffic matching criteria for Netflow protected servers. The Properties pane also appears, and that is where you create the Netflow protected server.
  4. In the Properties pane, for
    Name
    , type a name for the Netflow protected server.
  5. From
    Traffic Matching Criteria
    , select the criteria you created.
  6. In the
    Throughput Capacity (Mbps)
    field, type the maximum allowable throughput in megabits per second for the Netflow protected server.
    Infinite
    means no limit.
  7. In the
    Packet Capacity (pps)
    field, specifies the maximum packets per second for the Netflow protected server.
    Infinite
    means no limit.
  8. In the
    Connection Capacity (cps)
    field, specifies the maximum connections per second for the Netflow protected server.
    Infinite
    means no limit.
  9. Click the
    Save
    button.
    To view scrubbing settings in a separate browser tab, click
    View Scrubbing Profiles
    before saving.
    The system creates the Netflow Protected Server.
Now you have configured the system to send Netflow data to DDoS Hybrid Defender. You still need to configure the specific DDoS protections you want to apply by creating a protected object. If you want to scrub traffic, you also need to create a scrubbing profile.

Creating a profile to scrub traffic

You can configure a scrubbing profile for a route domain, a protected server, or a blacklist category. The scrubbing profile defines the conditions under which DDoS Hybrid Defender sends a message to the upstream router instructing it to redirect traffic. Scrubbing is typically used when DDoS Hybrid Defender is deployed out-of-band but it can be used inline as well.
  1. On the Main tab, click
    DoS Setup
    Scrubbing Profile
    .
  2. In the
    Advertisement TTL
    field, specify the amount of time, in seconds, that scrubbed IP addresses are advertised to the BGP router or Silverline. The default is 300 seconds.
    Infinite
    means continue scrubbing the route domain, protected server, or blacklist category until you manually stop it by selecting the object and clicking
    Stop Redirect
    . It is not recommended that you select Infinite. If you do, you need to monitor traffic to see when the attack is concluded, then manually stop redirection.
  3. If using Silverline to offload scrubbed traffic, for
    Silverline
    , select
    Enabled
    , then complete the configuration:
    1. For
      URL
      , type the URL or fully qualified domain name used to connect to the Silverline DDoS Protection service.
    2. In the
      User
      field, type the user name for an active Silverline DDoS Protection account. For example,
      username@example.com
      .
    3. In the
      Password
      field, type the password for the Silverline DDoS Protection account.
  4. Add the route domain, protected server, or blacklist category for which you want to scrub traffic.
    The route domain, Netflow protected server, or protected object must have already been created on the system. Create route domains in
    Network
    Topology
    on the right Shared Objects pane. Create Netflow protected servers or protected objects (virtual servers) in
    DoS Configuration
    Protected Objects
    .
    A blacklist category can only be scrubbed (and will only be listed) if its
    Match Type
    is set to
    Destination
    in
    DoS Setup
    IP Intelligence
    Blacklist Categories
    then click on the category.
    1. Click the Route Domains, Protected Servers, or Categories tab.
    2. On the appropriate tab, click
      Add
      .
      For Protected Servers, you also need to choose whether to add a monitored virtual server (protected object) or a Netflow protected server.
    3. Select the previously configured route domain, protected server, or blacklist category for which to configure thresholds and configure remaining settings.
      If using
      BGP Flowspec
      as the advertisement method, you need to create a Flowspec Route Injector profile to establish the connection to the upstream router.
    4. Click
      Done Editing
      when finished.
Now you have configured the system to notify the upstream router when thresholds are exceeded for a route domain, protected server, or blacklist category.

Sending the blacklist to a next-hop router

DDoS Hybrid Defender detects bad actors, adding their IP addresses to a blacklist temporarily. You can specify an edge router to which to advertise the blacklist, so it can stop the traffic causing a DoS attack. To advertise to edge routers, you must configure a Blacklist Publisher.
  1. On the Main tab, click
    DoS Setup
    Blacklist Publisher
    .
  2. Click
    Add
    .
  3. From
    Blacklist Category
    , select the category for this blacklist publisher.
    You can review the existing blacklist categories and create new ones at
    DoS Setup
    IP Intelligence
    Black List Categories
  4. For
    Publisher Profile
    , specify one or more publisher profiles to use for this blacklist publisher.
    To create a publisher profile, open the side pane on the right (click <<).
    1. Next to
      Publisher Profiles
      , click
      +
      .
    2. For
      Name
      , type a name for the profile.
    3. From
      Route Domain
      , select the route domain for the network segment that applies to this publisher profile.
    4. For
      Advertisement Method
      , select the method (
      BGP
      or
      BGP Flowspec
      ) by which you want to advertise blacklisted addresses.
    5. For
      Advertisement Next-Hop IPv4
      or
      IPv6
      , type the next hop IPv4 or IPv6 address of the BGP router where you want to advertise blacklisted addresses.
    6. Click
      Commit
      to create the publisher profile.
  5. Specify publisher profiles for as many blacklist categories as you need to.
The BGP routers you specified will drop traffic from IP addresses on the blacklist until the blacklist entry is automatically removed.

Advertising with BGP Flowspec

If setting up scrubbing or blacklisting and you plan to advertise using BGP Flowspec, you need to create a flowspec route injector profile. This profile lets you deploy and propagate flow specifications among BGP peer routers to mitigate the effects of a DDoS attack on your network. BGP flowspec sends a specific flow format to the border routers instructing them to take suitable action.
  1. On the Main tab, click
    DoS Setup
    Flowspec Route Injector
    .
  2. Click
    Create
    .
    The New Flowspec Route Injector Profile screen opens.
  3. For
    Name
    , type a name for the profile.
  4. From the
    Route Domain
    list, select the route domain to associate with the flowspec route injector profile.
    You must specify one route domain when creating the profile, and you can't change it after profile creation.
    Create route domains in
    Network
    Topology
    on the right Shared Objects pane.
  5. For
    Maximum Number of Routes
    , type the maximum number of flowspec routes that can be advertised simultaneously for each flowspec route injector profile (or route domain). Valid values are
    100
    to
    10,000
    ; the default is
    1000
    .
  6. If you have multiple BGP neighbors that use a shared configuration, in the Peer Group area, define the common attributes that the neighbors in the profile share.
    Adj Out
    Enables or disables the BGP adj-rib-out feature, which stores information that the local BGP speaker has advertised to its peers.
    BGP Multiple Instance
    Specifies whether multiple BGP instances are allowed or not. If allowed, you can configure each instance of a multi-instance BGP using a different AS number.
    Extended ASN Cap
    Specifies whether to enable extended autonomous system number (ASN) capabilities. When enabled, allows the device to send 4-byte BGP ASN; if disabled, sends 2-byte ASN.
    Graceful Restart
    Specifies whether to enable a graceful restart of the BGP session maintaining forwarding routing information during a TCP session termination and re-establishment.
    Graceful Restart Time
    Specifies the estimated time (in seconds) for the BGP session to be re-established after a restart. You can use this to speed up routing convergence by its peer if the BGP speaker does not come back after a restart.
    Hold Time
    Specifies the maximum time in seconds that can elapse between messages from a peer. The Hold Time value is advertised in open packets and indicates to the peer how long to consider the sender valid. If the peer does not receive a keep alive, update, or notification message within the specified hold time, the BGP connection to the peer is closed, and routing devices through that peer become unavailable.
    Local AS
    Specifies the BGP local autonomous system number.
    Remote AS
    Specifies the BGP remote autonomous system number.
    Router ID
    Specifies the BGP router ID (an IPv4 address) to be used in the BGP OPEN message when initiating a BGP connection with peers.
  7. Neighbors are typically other upstream routers or BGP-enabled devices. In the Neighbors area, you can add, modify, or delete BGP peer neighbors. Type the information into the fields for at least the first BGP neighbor, then click
    Done Editing
    .
    Click
    Create
    to add more BGP-enabled devices here.
    Peer Address
    Specifies the IP address of the peer neighbor.
    Local Address
    Specifies the local address on the DDoS Hybrid Defender to be used for initiating BGP connections with peers.
    Local AS
    Specifies the BGP local autonomous system number.
    Remote AS
    Specifies the BGP remote autonomous system number.
    Adj Out
    Enables or disables the BGP adj-rib-out feature, which stores information that the local BGP speaker has advertised to its peers.
    BGP Multiple Instance
    Specifies whether multiple BGP instances are allowed or not. If allowed, you can configure each instance of a multi-instance BGP using a different AS number.
    Extended ASN Cap
    Specifies whether to enable extended autonomous system number (ASN) capabilities. When enabled, allows the device to send 4-byte BGP ASN; if disabled, sends 2-byte ASN.
    Graceful Restart
    Specifies whether to enable a graceful restart of the BGP session maintaining forwarding routing information during a TCP session termination and re-establishment.
    Graceful Restart Time
    Specifies the estimated time (in seconds) for the BGP session to be re-established after a restart. You can use this to speed up routing convergence by its peer if the BGP speaker does not come back after a restart.
    Hold Time
    Specifies the maximum time in seconds that can elapse between messages from a peer. The Hold Time value is advertised in open packets and indicates to the peer how long to consider the sender valid. If the peer does not receive a keep alive, update, or notification message within the specified hold time, the BGP connection to the peer is closed, and routing devices through that peer become unavailable.
    Router ID
    Specifies the BGP router ID (an IPv4 address) to be used in the BGP OPEN message when initiating a BGP connection with peers.
  8. When you finish setting up the flowspec route injector profile, click
    Commit Changes to System
    .
You created the flowspec route injector profile to deploy and propagate flow specifications among BGP peer routers.

Configuring the network for an inline stand-alone device

You must first configure the network to create the workflow when installing DDoS Hybrid Defender as an inline device. You do this by creating VLANs (virtual local area networks), and associating the physical interfaces on the system with them. The way you set up the system depends on your network organization. Here are some of the configurations to consider:
  • Use the VLAN Group setup (L2 bridge mode), for example, if you use switch topology
  • Use Virtual Wire (L2Wire) to set up the system as an inline L2 transparent mode device
  • Define VLANs, if the system uses routed technology
  • Define routes as needed to direct traffic.
If using the BIG-IP Virtual Edition, to set up the network as described here, you must create a security policy on the vSwitch. Configure the security policy to accept the
Promiscuous Mode
and
Forged Transmits
policy exceptions. For details about these options, see the
VMware ESX or ESXi Configuration Guide
.

Configuring the network using routed mode

If using routed technology, you can deploy DDoS Hybrid Defender in routed mode within the current configuration. You can choose the network whose traffic goes through the DDoS Hybrid Defender, and let the rest continue to follow the path prior to deploying the device. The way you set up the system depends on your network organization.
If setting up the two systems for high availability, you must configure the network on both the active and standby systems.
  1. On the Main tab, click
    Network
    Quick Configuration
    .
  2. Click
    Create
    to start configuring the network.
    A visual representation of the network configuration types is displayed.
  3. Click the
    Routed Mode
    configuration.
  4. In the
    VLAN
    area, type a name, select the VLAN tag, select the interface for the VLAN, whether it is tagged or untagged, then click
    Add
    .
  5. In the
    IP Address/Mask (Port Lockdown)
    area:
    1. Type the IP address and mask that specifies a range of IP addresses spanning the hosts in the VLAN. This is required.
    2. After the IP address, select the
      Port Lockdown
      setting: Select
      Allow None
      to accept no traffic;
      Allow Default
      to accept default protocols and services only; and
      Allow All
      to activate TCP and UDP services.
    3. Optional: To share an IP address between two high availability devices (such as if data passes through a router on the way to DDoS Hybrid Defender), in the
      Floating IP/Mask (Port Lockdown)
      field, type the floating IP address (it must be in the same subnet as the IP address), and select the Port Lockdown setting.
      The floating IP address must be the same on both devices, and you must configure it on both devices since it represents the active device.
      Using a floating IP address makes it so the router always goes to the same address regardless of which system is active.
    4. Click
      Add
      .
  6. If your system connects to other networks through additional routers, add the required routes so the traffic can reach its destination. In the
    Routes
    area, type the network IP address, netmask, and gateway IP address (this is the next hop router address), then click
    Add
    .
  7. Click
    Save Configuration
    .
  8. If you need additional routed mode configurations, click
    Add
    to create them.
  9. When done, click
    Finished
    .
The system is configured for routing traffic between subnets.
At this point, you can start configuring DDoS Hybrid Defender. You can set up remote logging and Silverline, if you are using those features. Then you can begin setting up DDoS protection.

Deploying inline using virtual wire

Use the virtual wire configuration to set up the system as an inline L2 transparent mode device (the ingress and egress VLANs are the same). This deployment is not available on virtual edition platforms.
If setting up the two systems for high availability, you must configure the network on both the active and standby systems.
  1. On the Main tab, click
    Quick Configuration
    Topology
    .
  2. Click
    Create
    to start configuring the network.
    A visual representation of the network configuration types is displayed.
  3. Click the
    Virtual Wire
    configuration.
  4. For
    Name
    , type a name for the Virtual Wire configuration.
  5. For
    Member 1
    and
    Member 2
    , select unique interfaces (or trunks) for the ingress and egress ports on the system.
  6. In the VLAN Traffic Management Configuration area, for
    Define VLANs
    , select
    Add
    to create a VLAN group.
  7. For
    Name
    , type a name for the VLAN group.
  8. If using tagged VLANs, type a tag number for the VLANs (an integer from
    1
    to
    4095
    ), select the
    Tagged
    check box.
  9. Click
    Add
    to add the VLAN group.
  10. In the Actions area, for
    Propagate Virtual Wire Link Status
    , select
    Enabled
    if you want to propagate link status.
  11. Click
    Finished
    .
The system creates a Virtual Wire configuration.
At this point, you can start configuring DDoS Hybrid Defender. You can set up remote logging and Silverline, if you are using those features. Then you can begin setting up DDoS protection.

Deploying inline using VLAN groups

You can put DDoS Hybrid Defender in transparent mode on a link between two Layer 3 devices, so that the IP addresses on each end of the link don’t have to change. The VLAN Group configuration creates VLANs and VLAN groups to set up the system as an inline L2 transparent bridge between two network segments. This is useful if your network relies on switch topology, and all traffic ingress to the BIG-IP system is from one VLAN, and traffic egress is through another VLAN.
If setting up the two systems for high availability, you must configure the network on both the active and standby systems.
  1. On the Main tab, click
    Quick Configuration
    Topology
    .
  2. Click
    Create
    to start configuring the network.
    A visual representation of the network configuration types is displayed.
  3. Click the
    VLAN Group
    configuration.
  4. For
    VLAN Group Name
    , type a name for the VLAN Group.
  5. Specify the members of the VLAN group. For
    Member 1
    and
    Member 2
    , type the VLAN tag number, specify the interface to use for traffic management, select whether it is tagged or untagged, and click
    Add
    .
  6. In the
    IP Address/Mask (Port Lockdown)
    area:
    1. Type the IP address and mask that specifies a range of IP addresses spanning the hosts in the VLAN. This is required.
    2. After the IP address, select the Port Lockdown setting: Select
      Allow None
      to accept no traffic;
      Allow Default
      to accept default protocols and services only; and
      Allow All
      to activate TCP and UDP services.
    3. Optional: To share an IP address between two high availability devices (such as if data passes through a router on the way to DDoS Hybrid Defender), in the
      Floating IP/Mask (Port Lockdown)
      field, type the floating IP address (it must be in the same subnet as the IP address), and select the Port Lockdown setting.
      The floating IP address must be the same on both devices, and you must configure it on both devices since it represents the active device.
      Using a floating IP address makes it so the router always goes to the same address regardless of which system is active.
    4. Click
      Add
      .
  7. If your system connects to other networks through additional routers, add the required routes so the traffic can reach its destination. In the
    Routes
    area, type the network IP address, netmask, and gateway IP address (this is the next hop router address), then click
    Add
    .
  8. Click
    Finished
    .
The system is deployed inline as an L2 transparent bridge between two L2 network segments.
At this point, you can start configuring DDoS Hybrid Defender. You can set up remote logging and Silverline, if you are using those features. Then you can begin setting up DDoS protection.

Connecting with F5 Silverline

Connecting with F5 Silverline® is optional, and is available for customers who have an active F5 Silverline DDoS Protection subscription.
To integrate the F5 Silverline Cloud Platform with DDoS Hybrid Defender as a way to mitigate DDoS attacks, you need to specify F5 Silverline authentication credentials.
If setting up the two systems for high availability, you must register with Silverline on both the active and standby systems.
  1. On the Main tab, click
    DoS Setup
    Silverline
    .
  2. In the
    Username
    field, type the user name for an active Silverline DDoS Protection account. For example,
    username@example.com
    .
  3. In the
    Password
    field, type the password for the Silverline DDoS Protection account.
  4. In the
    Service URL
    field, type the URL or fully qualified domain name used to connect to the Silverline DDoS Protection service.
  5. Click
    Update
    to save the credentials.
    DDoS Hybrid Defender sends a registration request to the F5 Silverline Cloud Platform.
  6. Log in to the F5 Silverline customer portal (
    https://portal.f5silverline.com
    ) and specify DDoS Hybrid Defender as an
    Approved Hybrid Signaling Device
    .
Depending on your network configuration, you may need to add a VLAN and route to enable DDoS Hybrid Defender to communicate with Silverline.
DDoS Hybrid Defender is now integrated with the Silverline Cloud Platform.
When configuring the device or objects to protect, you will need to select the
Silverline
check box to send information about DDoS attacks to the Silverline Cloud Platform.

Setting up remote logging

You can specify remote logging destinations on DDoS Hybrid Defender. Set up remote logging if you want to consolidate statistics gathered from multiple appliances onto a Security Information and Event Management (SIEM) device, such as Arcsight or Splunk. If setting up high availability, configure remote logging on the active device.
When configuring remote high-speed logging of system events, it is helpful to understand the objects you need to create and why, as described here:
What to create
Why
Pool
Create a pool of remote log servers to which the BIG-IP system can send log messages.
Destination
Create a log destination of Remote High-Speed Log type that specifies a pool of remote log servers. If your remote log servers are the ArcSight, Splunk, IPFIX, or Remote Syslog type, create an additional log destination to format the logs in the required format and forward the logs to a remote high-speed log destination.
Publisher
Create a log publisher to send logs to a set of specified log destinations.
Logging profile
Create a logging profile to enable logging of user-specified data at a user-specified level, and associate a log publisher with the profile.
Protected object
Associate a logging profile with a protected object to define how the system logs security events on the traffic that the protected object processes.
Following are the general steps to set up remote logging:
  1. Create a pool of remote servers to which the system can send log messages: on the Main tab, click
    Visibility
    Event Logs
    Pools
    , create, then add the log servers and ports.
  2. Create a remote high-speed log destination: on the Main tab, click
    System
    Logs
    Configuration
    Log Destinations
    , create, specify the type, and any other settings for the remote log destination.
  3. Create a publisher for the system to send log messages: on the Main tab, click
    System
    Logs
    Configuration
    Log Publishers
    , create, and select the log destinations for the publisher.
  4. Create a logging profile: on the Main tab, click
    Visibility
    Event Logs
    Logging Profiles
    , create, select the types of logs, and complete the associated settings.
    • Network Firewall
      provides logs for IP intelligence and traffic statistics.
    • DoS Protection
      provides logs for DNS, SIP, and Network DoS events.
    • Bot Defense
      provides logs for HTTP DoS protection for application security.
  5. Associate the logging profile with the appropriate protected object: on the Main tab, click
    DoS Configuration
    Protected Objects
    , click the name of the protected object. In the properties pane on the right, select the logging profile to use.
Depending on your network configuration, you may need to add a VLAN and route to enable DDoS Hybrid Defender to communicate with the remote logging server.
Refer to
External Monitoring of BIG-IP Systems: Implementations
for additional information about configuring logging.
Event logs from DDoS Hybrid Defender are sent to the remote logging server in the format you specified.